GRCWatch
Sign inStart free trial

NIST 800-171 Control 3.4.9: User-Installed Software Control

Uncontrolled user-installed software introduces security vulnerabilities, licensing risks, and compliance gaps across your organization. NIST 800-171 3.4.9 requires you to establish controls that prevent, detect, and manage unauthorized software installations. This control is critical for maintaining system integrity and protecting sensitive CUI.

What this means

Control 3.4.9 mandates that organizations implement mechanisms to prevent users from installing software without authorization and monitor systems for unauthorized installations. This includes establishing approved software lists, restricting installation privileges, using technical controls to block unapproved software, and maintaining visibility into what's running on your systems. The control recognizes that user-installed software—even when well-intentioned—can expose systems to malware, licensing violations, and configuration drift.

How to comply

  1. 1.Define a formal software authorization policy that specifies which applications users can install and the approval process required for new software requests
  2. 2.Implement technical controls (endpoint protection, application whitelisting, or Mobile Device Management) to prevent unauthorized software installation
  3. 3.Restrict administrative or elevated privileges to limit user ability to install software without IT oversight
  4. 4.Maintain an inventory of approved and blocked applications, updated regularly based on security assessments
  5. 5.Monitor systems for unauthorized software installations using endpoint detection tools or log analysis
  6. 6.Conduct regular audits of installed software across all systems to identify and remediate non-compliant installations
  7. 7.Document all software authorization requests, approvals, and rejections as audit evidence
  8. 8.Educate users on the software approval process and security risks of unauthorized installations

Evidence auditors look for

  • Software authorization policy document with clear approval procedures and roles
  • Approved software list maintained and reviewed at least annually
  • Endpoint protection or application whitelelist configuration logs
  • Software installation audit reports showing detection and remediation of unauthorized applications
  • Approval request templates and signed records for all authorized software
  • User acknowledgment records confirming training on software installation policies
  • System logs or monitoring tool dashboards showing enforcement of software restrictions
  • Incident logs documenting detection and removal of unauthorized software

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates software discovery and enforcement across your environment, flagging unauthorized installations in real-time and generating audit-ready reports for 3.4.9 compliance without manual log analysis.

See how GRCWatch handles this control automatically

Start free trial

Related controls

3.4.8 — Malicious Code Protection3.4.1 — Information System Boundaries3.4.2 — Access Points3.7.1 — Information System Monitoring